Ok, first off, this could all be marketing hype--everything they describe is indeed in very broad terms--and it could well just be to stir up interest. Though if a higher-up at Apple is plugging them a bit, it certainly implies that they're more than a productless company with a fancy-sounding whitepaper.
But anyway, if you actually read through what they're saying, here's a simple English translation of what they seem to be describing:
They intend to deploy their products at companies who are worried about hackers from other companies--not so much rogue college kids--and governments/terrorist organizations messing with them. Hence the whole "information warfare" analogy.
When a hack/interference (DoS) attack happens, their software is supposed to detect and classify it's type and threat level in real time. That's part of it's "power". Then, the logic is that the Internet is too spread out to wait for legal action--if you're being hacked in the US by a company from England using an ISP in Taiwan, it's a pain to get anything done in a timely fashion. In theory.
If the threat is a first time attempt or not very severe (script kiddie), the system theoretically makes a call using a set of policies the user has set up. This is what they mean by "symmetric responses"; generally blocking a port scan and reporting that IP address to some organizaton (apparently some sort of blacklist run by this company). Depending on the severity of the attempt, the system can then be further (manually) authorized to do an "invasive response", apparently consisting of an automated attempt to hack the offending computer and mess with them, or maybe delete some data if it was something really bad.
From the sound of it, the first course with an attack like this would just be standard blocking and reporting; one expects that would cover standard hijacked DDoS machines or AOL lusers and the like.
When there are a series of attacks, and standard methods of dealing with them have not worked (trying to get them shut down by an upstream provider or local legal methods--say, the DoSer is using a "spam friendly" ISP who refuses to do anything, or the Chinese government doesn't care), then things get "asymmetric".
At that point, the first step is to blacklist the upstream provider. If that's not enough, you can DDoS the offender (apparently using a system set up by this company, which sounds like it might use all of the installed systems together--sort of a "you scratch my back, I'll scratch yours" system). If that's not enough, you can get some professional hackers to hack them back, and then sue them/spread public misinformation about the company/and "psychological operations", whatever the heck that means.
Nowhere do they seem to be stupid enough to have their system automatically attack somebody until it's been proven that you've got somebody making a direct effort to attack you, and even then only when a human has specifically given authorization to do it--they state quite clearly that nothing invasive or offensive will happen without human authorization.
On the other hand, they do seem to be advocating some uncomfortably large-scale (we're talking about companies, not governments), generally "bad form" (it's business, not war), and more than likely downright illegal (on an INTERNATIONAL scale) actions. I do not take things like this lightly, and I don't see any reasonable corporation wanting to stick their faces in that kind of a hornet's nest unless everybody else does, too. At which point, you've got an open battleground, not a friendly international network.